Reported (VulDB) stack-based buffer overflow in llvm::StringMap::insert
in lib/IR/ValueSymbolTable.cpp (ValueSymbolTable module), reachable only
by locally feeding crafted IR/input to LLVM tooling. NVD carries the
"disputed" tag and the record notes "The presence of this vulnerability
remains uncertain". The LLVM project explains that the reported behavior
is outside its documented security scope and is therefore not considered
a security vulnerability (LLVM libraries are not a security boundary for
untrusted input). Reported against llvm-project 22.1.x; the shipped
toolchain is 19.1.7. Debian classifies it as an unimportant issue. No
code change required.
https://security-tracker.debian.org/tracker/CVE-2026-13573